Stack Overflow
Stack Overflow

Questions tagged [splunk-query]

438 questions
5
votes
2 answers

How to get url to specific splunk event?

How can I get a url to a specific splunk event from a list of splunk events returned by a search? If it's not possible, and I need to create a search that only returns that event, is there some unique id for each event that I can use in the query?
Rob Bednark
  • 19,968
  • 18
  • 67
  • 100
4
votes
1 answer

How to use/do where in column of a lookup in Splunk Search Query

I want the search with a field which match with any of the values in look up table. For now, I have used below where in query. But, I still want to query with Look up table instead of manually putting all those values in double quotes using the…
omkar sirra
  • 620
  • 8
  • 21
4
votes
1 answer

How to parse JSON metrics array in Splunk

I receive JSON from API in the following format: [ { "scId": "000DD2", "sensorId": 2, "metrics": [ { "s": 5414, "dateTime": "2018-02-02T13:03:30+01:00" }, { "s": 5526, …
Max Zhylochkin
  • 61
  • 1
  • 5
3
votes
1 answer

How to extract a value from fields when using stats()

Query: index = test | stats values(*) as * by ip_addr, location | where location="USA" | fields timestamp, user, ip, location, message Result: +--------------------------------------------------------------------+ | timestamp | user | ip …
ThomasWest
  • 445
  • 1
  • 4
  • 13
3
votes
1 answer

Use sub-second precision on "earliest" in Splunk query

I have a Splunk search string. If I add earliest=10/05/2020:23:59:58, the search string still works. However, if I changed that to earliest=10/05/2020:23:59:58:01, I got an error message say invalid value "10/05/2020:23:59:58:01" for time term…
Jie
  • 726
  • 8
  • 15
3
votes
1 answer

Splunk: Unable to get the correct min and max values

I'm a newbie as far as Splunk is concerned with modest regex skills. We have events with the following patterns: fallbackAPIStatus={api1=133:...,…
maverick2701
  • 31
  • 2
3
votes
2 answers

Stats Count Splunk Query

I wonder whether someone can help me please. I'd made the following post about Splunk query I'm trying to write: https://answers.splunk.com/answers/724223/in-a-table-powered-by-a-stats-count-search-can-you.html I received some great help, but…
IRHM
  • 1,218
  • 9
  • 73
  • 130
3
votes
1 answer

Group event counts by hour over time

I currently have a query that aggregates events over the last hour, and alerts my team if events are over a specific threshold. The query was recently accidentally disabled, and it turns out there were times when the alert should have fired but did…
jjohnson8
  • 141
  • 1
  • 10
3
votes
0 answers

Splunk rest curl query fails to execute on the successive attempts with the session key authorization

First attempt creates the splunk SID, but fails on the successive attempts to create search id. Same issue occurs while polling/consuming the search after SID creation on its successive attempts. Can anybody point out helping the missing part? Curl…
sathish
  • 55
  • 7
3
votes
1 answer

How to make Splunk query case sensitive

How do I make my query case sensitive. Say I want my search results for "Case Sensitive" and not "CASE sensitive" or "CASE SENSITIVE" This is what I'm using which isn't helping. index=foo_foo sourcetype=foo "Is my query CASE(Case Sensitive)" I've…
Ganga B K
  • 402
  • 7
  • 20
2
votes
2 answers

how to calculate duration between two events Splunk

I need to find the duration between two events. I went over the solutions on splunk and Stack Overflow, but still can't get the calculation. Both sentToSave and SaveDoc have the time stamp already formatted, which is why I used the case function. I…
Zara Z.
  • 123
  • 5
2
votes
1 answer

Splunk: List indexes and sources to which one has access

Using this search command | eventcount summarize=false | dedup index | fields index I get a list of all indexes I have access to in Splunk. Is it also possible to get another column besides this within which the source for the index is visible…
Tobitor
  • 717
  • 6
  • 16
2
votes
2 answers

SPLUNK enterprise i am trying to calculate results where if > 4% of failure is anomaly?

SPLUNK enterprise i am trying to calculate results where > 4% of failure is anomaly. is formula correct? to set anomaly ?(failcount and total count fields are numeric) | inputlookup sample.csv | eval isananomaly = if('Failcount' / 'Totalcount' *…
parth
  • 33
  • 4
2
votes
1 answer

Splunk base search on dashboard and post processing the results

I have a dashboard that is using a base search, along with 4 other panels that reference this and format the results differently depending on the chart I want to use. When I run the base query by itself, it returns the data as expected. Base…
SBB
  • 7,079
  • 27
  • 82
  • 181
2
votes
2 answers

Splunk query to retrieve value from json log event and get it in a table

I have a log event getting in a json format like this { "level":"level name", "exception":"exception message", "logger":"com.log", "thread":"thread name", "message":"exception message", "properties":{ "id":"1234", …
kenz
  • 114
  • 10
1
2 3
29 30